Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61359

Self-XSS when sending message to another user

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 3.4.1, 3.5.1, 3.6
    • 3.4.5, 3.5.2
    • Messages
    • MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • MDL-61359-master
    • Hide
      1. Log in as an admin.
      2. If there are no users on your site create one.
      3. Click on the message icon in the top-right.
      4. Click on 'See all'.
      5. Click on the 'Contacts' tab.
      6. Search for another user on the site.
      7. Click on their name.
      8. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area).
      9. Send the following string as a message, and CONFIRM no alert popup is triggered in the browser: 

        <script>alert('Test alert');</script>

        The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script>, rather than verbatim what was sent, but this is unrelated to this issue/fix.

      Show
      Log in as an admin. If there are no users on your site create one. Click on the message icon in the top-right. Click on 'See all'. Click on the 'Contacts' tab. Search for another user on the site. Click on their name. CONFIRM sending plain text messages works as before (appears under the recipients name as the most recent message, and appears in the message conversation area). Send the following string as a message, and CONFIRM no alert popup is triggered in the browser: &lt;script&gt;alert( 'Test alert' );&lt;/script&gt; The message should display in the same places as step 2. Note that in the message it will display encoded as <script>alert('Test alert');</script> , rather than verbatim what was sent, but this is unrelated to this issue/fix.

    Description

      We have received an email to security address at moodle with the description of self-XSS that can be easily reproduced. This is not a security issue because you can not attack other users.

      Security Researcher: Dan Nino I. Fabro

      Description and Impact:
      I was continually browsing the website when I found something
      interesting. One of the features of the website is to enable
      communication with other users using the chatbox, url:
      https://school.demo.moodle.net/message/index.php?user=[USERNUMBER]&id=[IDNUMBER],
      now, the input field of the chatbox is the one vulnerable here wherein
      an attacker may use this as an attack vector for injecting arbitrary
      javascript code and enable himself to steal or edit cookies of other
      users of the site.
      I was only using demo account, what if real account already, right?

      Payload used:
      "><img src=x onerror=prompt(document.cookie)>

      Browser used:
      Google Chrome Version 61.0.3163.100 (Official Build)
      (64-bit)

      Attachments

        Issue Links

          has a non-specific relationship to

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-62736 Messages should display what was typed verbatim

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-58409 Self-XSS in autocomplete element (for example "Tags")

          • Minor - Minor loss of function where workaround is possible
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61420 XSS HTML encode Payload Bug on Moodle Messages

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              michaelh Michael Hawkins
              marina Marina Glancy
              Mark Nelson Mark Nelson
              Jake Dallimore Jake Dallimore
              Janelle Barcega Janelle Barcega
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              2 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10/Sep/18

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 30 minutes
                  30m